Last year was the “year of the mega breach” at retailers and other websites, according to analysis from a top cybersecurity firm.
The report from Symantec released on Tuesday found that there were 62 percent more data breaches in 2013 than in 2012. Eight of those were massive breaches that each exposed information about more than 10 million people, as opposed to just one breach of that size the previous year.
“It’s getting worse, but also the fact that it’s getting worse is a sign that it’s getting better,” said Jeff Greene, a senior policy counsel with the company.
Hackers are upgrading their tools, he said, “because the old stuff isn’t working, because people aren’t falling for it. People are getting smarter.”
For instance, last year saw attackers choosing fewer targets for spear phishing, in which hackers go after subjects with phony emails or other tricks.
People are learning how to protect themselves, Greene said, which is forcing criminals to devise new methods.
“I think that it’s getting harder and the attackers are having to move to new areas to do it,” he said.
The increased public knowledge may have been aided by a rash of high profile hacks at major retailers like Target and Neiman Marcus that exposed tens of millions of shoppers’ data late last year. The data breaches captured headlines and prompted a slew of congressional hearings from lawmakers anxious to know what could have gone wrong.
“They actually bumped [National Security Agency leaker Edward] Snowden off of the cyber news cycle,” Greene said. “So it clearly had to be big if it did that.”
Lawmakers have proposed a variety of legislation aimed at better protecting consumers, but none have so far gained traction for movement in Congress. One popular measure, though, would set national standards for companies to notify consumers if their data may have been hacked.
Some have looked to empower the Federal Trade Commission (FTC) to charge fines to companies with lax data security standards. Proponents of that option got good news on Monday, when a U.S. district court judge upheld the FTC’s power to punish companies for bad data security.